Breaking Down the Impact of the Target Breach

The payments, banking and retail industries are still experiencing the fallout of the major data breach that hit Target last year. We take a look at the numbers behind the breach’s repercussions for banks, hackers and consumers.

The National Retail Federation played some misdirection after the breach, blaming it on magnetic stripe cards while accusing banks of slowing down the migration to EMV. EMV technology would not have prevented many of the malware attack that Target experienced. But EMV has led to major reductions in card fraud in countries that have adopted it. The major obstacle to EMV adoption here in the U.S. remains the very high cost, and just who exactly is going to pay for it.

The migration would involve $6.75 billion in costs for replacing 15 million point-of-sale devices, $1.4 billion in replacing 609 million credit and 520 billion debit cards, and $500 million for upgrading 360,000 ATM’s across the U.S.

Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio

I think making organizations pay some form of compensation if they were negligent in the case of a security breach definitely makes sense, and would be a huge driver for change. The problem right now is defining what is actually "negligent." So many organizations, particularly in other industries besides banking, don't have the necessary cyber security measures in place. We could really use a federal standard for handling data breaches that addresses this issue, and a number of people have called for one after the Target breach. Right now we have a bunch of different state laws that sometimes conflict with another. If we have a standard that everyone can be measured against to determine when negligence has taken place, I think we would see some really fast change in this space.

Good point! Brand impact does seem to gather almost as much attention as what I believe making the impact personal would. I believe that stems from the potentially significant personal impact that oftimes follows significant brand impact. Basically, it's like, "Grab 'em by the wallet and their hearts and minds will follow...". What I'd really like to see, though, is the opposite side of that coin. That is to say, some type of indemnification for parties that disclose AND ADDRESS security "events" and "issues". What are your thoughts along those lines?

Well we saw some of the bigger banks start to work together more closely with law enforcement after the DDoS attacks last year. That is something new. And the reputational harm that could come from a data breach or cyber attack does go beyond simple financial consequences. I think that is what caused some action after the DDoS attacks.

You're right about banks in the past regarding fraud as sometimes being part of the cost of doing business. And you're right again in suspecting that that is changing as a result of the frequency and size of the data breaches that have been occurring lately. It's already getting bigger attention as a result of the DDoS attacks last year against banks. The key is that now the breaches and sums of money involved are getting bigger, which makes for bigger headlines. And the bigger the headlines, the more it affects the reputation of the bank, which is where it goes beyond the simple cost of doing business. None of the banks want to lose customers because they were hit by a huge data breach that got them on the cover of the New York Times.

No offense intended, but I've heard this song way too many times before.... "Given the latest breaches at < fill in the name >, < fill in the name >, < fill in the name >, < etc. >, < etc. >, < etc. > "they" will have to start paying more attention, providing more support, solving world hunger, creating world peace, curing cancer/heart disease/ADD/ADHD..." Realistically, as long as it's confined to mere financial consequences (never mind what goes for "mere"), there will be minimal adjustments - that is, no real change... I doubt it will ever happen in my lifetime; but, make it personal for the responsible parties - the ones actually signing off on currently quite obviously deficient security conditions and overall security postures - ( with jail time, unrecompensable financial penalties, public flogging, etc.) and you may - I say MAY - actually see some relevant and effective changes.... Until then.... Happy trails to you... :-)

As an IT Security professional, I have had the impression (possibly erroneous) that at least some members of the US banking community have not been overly concerned with IT Security - as long as the cost of the IT Security breach is minimal. The cost of IT Security breaches has, in the past, perhaps somewhat viewed as a "cost of doing business". Please note I am not privy to any information in this regard. This is just my personal impression as an "outsider looking in". However, I do believe that now, given the size, impact, and number of recent IT Security breaches - this issue will be receiving increased attention and support. This solely reflects my personal opinion at this time - and is subject to change based on new information. Thank You.